CVE-2025-27147
📋 TL;DR
CVE-2025-27147 is an improper access control vulnerability in the GLPI Inventory Plugin that allows unauthorized users to perform administrative actions. This affects all GLPI installations using the Inventory Plugin versions before 1.5.0. The vulnerability enables attackers to bypass authentication and execute privileged operations.
💻 Affected Systems
- GLPI Inventory Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to deploy malicious software, modify system configurations, exfiltrate sensitive inventory data, and potentially pivot to other network systems.
Likely Case
Unauthorized access to inventory data, modification of agent configurations, and potential deployment of unauthorized software packages to managed endpoints.
If Mitigated
Limited impact with proper network segmentation and strict access controls, potentially only allowing information disclosure of inventory data.
🎯 Exploit Status
Exploitation requires understanding of the plugin's API endpoints and access patterns. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.0
Vendor Advisory: https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-h6x9-jm98-cw7c
Restart Required: No
Instructions:
1. Backup your GLPI database and configuration. 2. Update the GLPI Inventory Plugin to version 1.5.0 via the GLPI plugin interface or manual installation. 3. Verify the plugin version shows 1.5.0 in the GLPI administration panel.
🔧 Temporary Workarounds
Disable Inventory Plugin
allTemporarily disable the vulnerable plugin until patching can be completed
Navigate to GLPI administration > Plugins > Inventory Plugin > Disable
Restrict Network Access
allLimit access to the GLPI web interface to trusted IP addresses only
Configure web server (Apache/Nginx) to allow only specific IP ranges
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the GLPI server from critical systems
- Enable detailed logging and monitoring for all access to the GLPI Inventory Plugin endpoints
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in GLPI administration: Plugins > Inventory Plugin. If version is below 1.5.0, the system is vulnerable.Check Version:
Check GLPI web interface: Administration > Plugins > Inventory PluginVerify Fix Applied:
Verify the plugin shows version 1.5.0 in the GLPI administration panel and test that unauthorized users cannot access inventory management functions.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /plugins/fusioninventory/ endpoints
- Unusual inventory data modifications or exports
- Multiple failed authentication attempts followed by successful inventory operations
Network Indicators:
- Unusual traffic patterns to GLPI inventory endpoints from unexpected sources
- Large data transfers from the GLPI server to external IPs
SIEM Query:
source="glpi_access.log" AND (uri="/plugins/fusioninventory/*" AND status=200) AND NOT (user="admin" OR user IN [authorized_users])